From b39e627be0d8911c23932cde8a7a55897e20aedf Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Mon, 20 Mar 2023 13:01:43 +0000 Subject: [PATCH] Backport the Redfish security fixes which affect IDRAC --- ...usr-libexec-platform-python-for-RHEL.patch | 29 ++++ ...permissions-of-redfish.conf-at-insta.patch | 28 ++++ ...ate-users-using-IPMI-when-we-know-it.patch | 47 ++++++ ...edfish-passwords-to-a-file-readable-.patch | 141 ++++++++++++++++++ fwupd.spec | 13 +- 5 files changed, 256 insertions(+), 2 deletions(-) create mode 100644 0001-Use-usr-libexec-platform-python-for-RHEL.patch create mode 100644 0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch create mode 100644 0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch create mode 100644 0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch diff --git a/0001-Use-usr-libexec-platform-python-for-RHEL.patch b/0001-Use-usr-libexec-platform-python-for-RHEL.patch new file mode 100644 index 0000000..4bc0dc7 --- /dev/null +++ b/0001-Use-usr-libexec-platform-python-for-RHEL.patch @@ -0,0 +1,29 @@ +From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 22 Aug 2023 10:05:27 +0100 +Subject: [PATCH] Use /usr/libexec/platform-python for RHEL + +--- + meson.build | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/meson.build b/meson.build +index bb406d616..ac90c8ee6 100644 +--- a/meson.build ++++ b/meson.build +@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes', + endif + + bashcomp = dependency('bash-completion', required: false) +-if host_machine.system() != 'freebsd' +- python3 = find_program('python3') +-else +- python3 = find_program('python3.8', 'python3', 'python3.9') +-endif ++python3 = find_program('/usr/libexec/platform-python') + + if get_option('gnutls') + gnutls = dependency('gnutls', version : '>= 3.6.0') +-- +2.41.0 + diff --git a/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch b/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch new file mode 100644 index 0000000..b3f334e --- /dev/null +++ b/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch @@ -0,0 +1,28 @@ +From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 20 Sep 2022 08:06:12 +0100 +Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install + time + +Although typically we set the password using fu_plugin_set_secure_config_value() +or something like Ansible or Puppet -- the user could just edit the file with +vim and we still want the permissions set correctly. +--- + plugins/redfish/meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build +index 34ba4b7f6..7b19574de 100644 +--- a/plugins/redfish/meson.build ++++ b/plugins/redfish/meson.build +@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish', + + install_data(['redfish.conf'], + install_dir: join_paths(sysconfdir, 'fwupd'), ++ install_mode: 'rw-r-----', + ) + + if get_option('tests') +-- +2.39.1 + diff --git a/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch b/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch new file mode 100644 index 0000000..f7ec617 --- /dev/null +++ b/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch @@ -0,0 +1,47 @@ +From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 20 Sep 2022 09:13:52 +0100 +Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's + going to work + +Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI +implementations are not specification compliant and do entirely the wrong thing. +--- + plugins/redfish/fu-plugin-redfish.c | 8 ++++++++ + plugins/redfish/redfish.quirk | 2 +- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c +index deb0fe742..3972d4b4b 100644 +--- a/plugins/redfish/fu-plugin-redfish.c ++++ b/plugins/redfish/fu-plugin-redfish.c +@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error) + #ifdef HAVE_LINUX_IPMI_H + /* we got neither a type 42 entry or config value, lets try IPMI */ + if (fu_redfish_backend_get_username(data->backend) == NULL) { ++ if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) { ++ g_set_error_literal(error, ++ FWUPD_ERROR, ++ FWUPD_ERROR_NOT_SUPPORTED, ++ "no username and password specified, " ++ "and no vendor quirk for 'ipmi-create-user'"); ++ return FALSE; ++ } + if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) { + g_debug("attempting to create user using IPMI"); + if (!fu_redfish_plugin_ipmi_create_user(plugin, error)) +diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk +index b12439926..5e9722fda 100644 +--- a/plugins/redfish/redfish.quirk ++++ b/plugins/redfish/redfish.quirk +@@ -1,6 +1,6 @@ + # Lenovo ThinkSystem + [42f00735-c9ab-5374-bd63-a5deee5881e0] +-Flags = wildcard-targets,reset-required ++Flags = wildcard-targets,reset-required,ipmi-create-user + + [REDFISH\VENDOR_Lenovo&ID_BMC-Backup] + ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary +-- +2.39.1 + diff --git a/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch b/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch new file mode 100644 index 0000000..f9e717d --- /dev/null +++ b/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch @@ -0,0 +1,141 @@ +From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Wed, 21 Sep 2022 14:56:10 +0100 +Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by + users + +When the redfish plugin automatically creates an OPERATOR user account on the +BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it +is chmod'ed to 0660 before writing the file with g_key_file_save_to_file(). + +Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with +the keyfile string data. +I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being +used to copy permissions, but alas not. + +GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666, +which undoes the previous chmod(). + +Use g_file_set_contents_full() with the correct mode for newer GLib versions, +and provide a fallback with the same semantics for older versions. +--- + contrib/fwupd.spec.in | 3 ++ + libfwupdplugin/fu-plugin.c | 65 +++++++++++++++++++++++++++++------ + libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++ + 3 files changed, 114 insertions(+), 11 deletions(-) + +diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in +index a50e30a9c..0854fcf4f 100644 +--- a/contrib/fwupd.spec.in ++++ b/contrib/fwupd.spec.in +@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do + fi + done + ++# ensure this is private ++chmod 0660 /etc/fwupd/redfish.conf ++ + %preun + %systemd_preun fwupd.service + +diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c +index 18042a028..04951de85 100644 +--- a/libfwupdplugin/fu-plugin.c ++++ b/libfwupdplugin/fu-plugin.c +@@ -9,6 +9,7 @@ + #include "config.h" + + #include ++#include + #include + #include + #include +@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value, + return g_key_file_save_to_file(keyfile, conf_path, error); + } + ++#if !GLIB_CHECK_VERSION(2, 66, 0) ++ ++#define G_FILE_SET_CONTENTS_CONSISTENT 0 ++typedef guint GFileSetContentsFlags; ++static gboolean ++g_file_set_contents_full(const gchar *filename, ++ const gchar *contents, ++ gssize length, ++ GFileSetContentsFlags flags, ++ int mode, ++ GError **error) ++{ ++ gint fd; ++ gssize wrote; ++ ++ if (length < 0) ++ length = strlen(contents); ++ fd = g_open(filename, O_CREAT, mode); ++ if (fd <= 0) { ++ g_set_error(error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "could not open %s file", ++ filename); ++ return FALSE; ++ } ++ wrote = write(fd, contents, length); ++ if (wrote != length) { ++ g_set_error(error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "did not write %s file", ++ filename); ++ g_close(fd, NULL); ++ return FALSE; ++ } ++ return g_close(fd, error); ++} ++#endif ++ + /** + * fu_plugin_set_secure_config_value: + * @self: a #FuPlugin +@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self, + GError **error) + { + g_autofree gchar *conf_path = fu_plugin_get_config_filename(self); +- gint ret; ++ g_autofree gchar *data = NULL; ++ g_autoptr(GKeyFile) keyfile = g_key_file_new(); + + g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE); + g_return_val_if_fail(error == NULL || *error == NULL, FALSE); +@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self, + g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path); + return FALSE; + } +- ret = g_chmod(conf_path, 0660); +- if (ret == -1) { +- g_set_error(error, +- FWUPD_ERROR, +- FWUPD_ERROR_INTERNAL, +- "failed to set permissions on %s", +- conf_path); ++ if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error)) + return FALSE; +- } +- +- return fu_plugin_set_config_value(self, key, value, error); ++ g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value); ++ data = g_key_file_to_data(keyfile, NULL, error); ++ if (data == NULL) ++ return FALSE; ++ return g_file_set_contents_full(conf_path, ++ data, ++ -1, ++ G_FILE_SET_CONTENTS_CONSISTENT, ++ 0660, ++ error); + } + + /** +-- +2.39.1 + diff --git a/fwupd.spec b/fwupd.spec index 15ce573..03d4fa2 100644 --- a/fwupd.spec +++ b/fwupd.spec @@ -40,7 +40,7 @@ Summary: Firmware update daemon Name: fwupd Version: 1.7.8 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ URL: https://github.com/fwupd/fwupd Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz @@ -61,6 +61,11 @@ Source301: redhatsecureboot301.cer Source500: redhatsecurebootca5.cer Source503: redhatsecureboot503.cer +Patch1: 0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch +Patch2: 0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch +Patch3: 0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch +Patch4: 0001-Use-usr-libexec-platform-python-for-RHEL.patch + BuildRequires: efi-srpm-macros BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -163,7 +168,7 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Data files for installed tests. %prep -%setup -q +%autosetup -p1 mkdir -p subprojects/libjcat tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1 @@ -526,6 +531,10 @@ done %endif %changelog +* Mon Feb 20 2023 Richard Hughes 1.7.8-2 +- Backport the Redfish security fixes which affect IDRAC. +- Resolves: rhbz#2170950 + * Wed Jun 15 2022 Richard Hughes 1.7.8-1 - New upstream release - Resolves: rhbz#2095668